This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ
- Extreme Networks
- Community List
- Network Management & Authentication
- ExtremeCloud IQ- Site Engine Management Center
- NAC Guest Registration - Different portals by Devi...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
NAC Guest Registration - Different portals by Devicetype
NAC Guest Registration - Different portals by Devicetype
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
ā07-12-2018 10:18 AM
Hi Guys,
I'm working on a NAC deployment for a customer, and we are having some issues with Guest Registration while using social media authentication. We use Advanced-Location in NAC.
To make it work as the customer asked, we need to use the Autologin from devices (using a browser is supported and better, but it raises issues with certificate errors, almos all sites are now HTTPS and we can't redirect it seamlessly, guests connecting and opening apps instead of browsers, etc)... But there's another issue: The Apple iOS devices WebKit is not allowed for Google auth...
I'm thinking about creating different portals for iOS and Others, where in the iOS portal the Google option should be supressed, but the Unregistered Loc rules can't be modified to choose Device Types.
I've cloned the rule and put it just above the NAC generated Unreg rule, just pointing to another portal, but it doesn't worked: The iOS device is redirected to the new "Googleless" portal, but not to the registration page... It shows a "Your device is registered, you are good to go" and stays in the Unreg-Clone role.
Any ideas?
Best regards,
-Leo
I'm working on a NAC deployment for a customer, and we are having some issues with Guest Registration while using social media authentication. We use Advanced-Location in NAC.
To make it work as the customer asked, we need to use the Autologin from devices (using a browser is supported and better, but it raises issues with certificate errors, almos all sites are now HTTPS and we can't redirect it seamlessly, guests connecting and opening apps instead of browsers, etc)... But there's another issue: The Apple iOS devices WebKit is not allowed for Google auth...
I'm thinking about creating different portals for iOS and Others, where in the iOS portal the Google option should be supressed, but the Unregistered Loc rules can't be modified to choose Device Types.
I've cloned the rule and put it just above the NAC generated Unreg rule, just pointing to another portal, but it doesn't worked: The iOS device is redirected to the new "Googleless" portal, but not to the registration page... It shows a "Your device is registered, you are good to go" and stays in the Unreg-Clone role.
Any ideas?
Best regards,
-Leo
10 REPLIES 10
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
ā07-12-2018 02:19 PM
Hi guys, I have found something... I'll run some tests and update you asap Best regards, -Leo
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
ā07-12-2018 01:59 PM
Hi Rodney,
The issue is that the device is hitting the Unreg rule correctly, get redirected to the right portal, but not for the "Enterprise Registration", where the guest registration options are shown... So the user can't even register (showing the "Your device has completed the verification. Network access granted" message).
I tried to disable the custom rules and se the iOS portal on the nac-generated Unreg Loc rule... And it works perfectly...
It looks like NAC only redirects the device to the registration portal if it hits the Adv Loc NAC-generated rule, and not a custom rule as I need (Unreg iOS devices to portal A and all other to portal ļ.
Ps: I've created the suggested Registered rule above my custom Unreg rule, but the results still the same. By the way, my custom rules are above the system rules for now, just to make sure the device will hit for testing.
Best regards,
-Leo
The issue is that the device is hitting the Unreg rule correctly, get redirected to the right portal, but not for the "Enterprise Registration", where the guest registration options are shown... So the user can't even register (showing the "Your device has completed the verification. Network access granted" message).
I tried to disable the custom rules and se the iOS portal on the nac-generated Unreg Loc rule... And it works perfectly...
It looks like NAC only redirects the device to the registration portal if it hits the Adv Loc NAC-generated rule, and not a custom rule as I need (Unreg iOS devices to portal A and all other to portal ļ.
Ps: I've created the suggested Registered rule above my custom Unreg rule, but the results still the same. By the way, my custom rules are above the system rules for now, just to make sure the device will hit for testing.
Best regards,
-Leo
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
ā07-12-2018 01:50 PM
I just ran this test and my GUESS here is, without seeing your configuration, that you don't have a matching "Registered Guests" rule for the device group. Because of this, the rule to match the unregistered device group will always be hit before any "Registered Guests" system rules that have been created.
Try creating a rule like:
Name: iOS Registered
End System Group: Registered Guests
Device Type Group: Apple iOS (assuming this is the same device type group you used)
Profile: Default NAC (or whatever your accept profile is)
Place this rule ABOVE your Unregistered device-type specific rule.
Unfortunately, this will apply to all locations so you will need to create individually unique rules for any and all specific locations these devices might be coming from.
Try creating a rule like:
Name: iOS Registered
End System Group: Registered Guests
Device Type Group: Apple iOS (assuming this is the same device type group you used)
Profile: Default NAC (or whatever your accept profile is)
Place this rule ABOVE your Unregistered device-type specific rule.
Unfortunately, this will apply to all locations so you will need to create individually unique rules for any and all specific locations these devices might be coming from.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
ā07-12-2018 12:13 PM
Hi Guys,
By the way, I'm testing on EMC/NAC 8.1.3.65 and IdentiFI 10.41.08.0012 (WS-AP3825i).
Rodney: Yes, I'm using the "Redirect Immediately" and HTTPS is not allowed for www.google.com (Trying in the browser, it's not reacheable in the Unreg state, justo to make sure).
Ryan: Sure... The device is already removed and has no previous registration.
The oddity is that the device is reaching the "Enterprise Remediation" and not the "Enterprise Registration" page, and showing the message "Your device has completed the verification. Network access granted" instead of the Registration Portal.
Follows attached a verbose logging from this device. (by the way, I'm using a Android device for this test... This is a LAB NAC, so there's no sensitive info): https://drive.google.com/drive/folders/0B5JU7eabVqiCbDhoLWN3NHJrTkU?usp=sharing
ISSUE:
It hits the Unregistered Loc: FB iOS (manually created rule), receive the Unregistered-CP NAC Profile (policy = GuestNonAuth just like the working and NAC-Generated Unregistered Loc: FB) and get redirected to the Social-iOS portal (instead of FB portal).
WORKING (it shows the registration portal):
It hits the Unregistered Loc: FB (NAC generated rule when creating Advanced Location), receive the Unregistered-CP NAC Profile (just as the other rule) and get redirected to the FB portal (the only different config between both portals is FB = Facebook,MS,Google and Social-IOS=FB,MS).
The difference between Rules that I can see is the "Unregistered user will be redirected to Registration web page." message below the NAC generated Unregistered Loc: FB (the manual rule doesn't show this message, and I've already tried creating a rule without the 'Loc:', with the same results.
Thanks!
-Leo
By the way, I'm testing on EMC/NAC 8.1.3.65 and IdentiFI 10.41.08.0012 (WS-AP3825i).
Rodney: Yes, I'm using the "Redirect Immediately" and HTTPS is not allowed for www.google.com (Trying in the browser, it's not reacheable in the Unreg state, justo to make sure).
Ryan: Sure... The device is already removed and has no previous registration.
The oddity is that the device is reaching the "Enterprise Remediation" and not the "Enterprise Registration" page, and showing the message "Your device has completed the verification. Network access granted" instead of the Registration Portal.
Follows attached a verbose logging from this device. (by the way, I'm using a Android device for this test... This is a LAB NAC, so there's no sensitive info): https://drive.google.com/drive/folders/0B5JU7eabVqiCbDhoLWN3NHJrTkU?usp=sharing
ISSUE:
It hits the Unregistered Loc: FB iOS (manually created rule), receive the Unregistered-CP NAC Profile (policy = GuestNonAuth just like the working and NAC-Generated Unregistered Loc: FB) and get redirected to the Social-iOS portal (instead of FB portal).
WORKING (it shows the registration portal):
It hits the Unregistered Loc: FB (NAC generated rule when creating Advanced Location), receive the Unregistered-CP NAC Profile (just as the other rule) and get redirected to the FB portal (the only different config between both portals is FB = Facebook,MS,Google and Social-IOS=FB,MS).
The difference between Rules that I can see is the "Unregistered user will be redirected to Registration web page." message below the NAC generated Unregistered Loc: FB (the manual rule doesn't show this message, and I've already tried creating a rule without the 'Loc:', with the same results.
Thanks!
-Leo
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
ā07-12-2018 11:31 AM
Hey Leo,
Did you make sure to remove the devices registration before another attempt?
The "Your device is registered" message usually is an indication that there is a registration for that device.
If so like Rodney said we'd need to get some verbose logging to take a closer look.
Thanks
-Ryan
Did you make sure to remove the devices registration before another attempt?
The "Your device is registered" message usually is an indication that there is a registration for that device.
If so like Rodney said we'd need to get some verbose logging to take a closer look.
Thanks
-Ryan
